Shariq Sheikh | Port 389

A question was raised on ActiveDir, and I learned about an old TechNet Jigsaw on AD’s interworking.

Along with that, there was a new Windows Server 2008 AD Feature Components which I received at Tech-Ed 2007 and it illustrates the new and improved AD pieces introduced with Windows Server 2008. This poster covers ADLDS, ADFS, ADRMS, and RODCs.

And an additional poster on general new Windows Server 2008 Feature Components that covers TS, NAP, IIS 7.0, Virtualization, Server Core and BitLocker.

Both of the above illustrations and very good quality large size posters (30x20in) and are good to hang in your office/cube. Printing them on regular printer may distort the quality, so you may try the plotter . All three can be downloaded from the following links :

TechNet Magazine Active Directory Component Jigsaw Poster

Windows Server 2008 Component Posters (both)

P.S This is my first test post using WLW.

Says the RID Master FSMO to a RODC. If you recall the RID Master’s sole job is to make sure that duplicate SIDs are not issued by domain controllers. Whenever a DC needs to create a SID, it takes the next available value from its own RID pool to create the SID with a unique value. The default pool size is 500 RIDs. When we run the RID pool test on a RODC, the test skips due to the DC being RODC and not having anything to do with the creation of the new objects.

dcdiag /v /test:ridmanager

Here is how the test is supposed to report back with the remaining pool of the allocated RIDs.

Much has been said about the manageability of AD Recycle Bin in Windows Server 2008 R2 via the Microsoft’s intended way i.e via PoSH cmdlets. Though this option stays to be only enable-able via PowerShell, the ability to restore objects (the process of reanimation of objects in earlier ADs) has been extended to GUI by Overall Solutions Inc. The GUI tool is very simple to use and its available for free. Below I show you how to restore a deleted OU with objects inside via this tool. See previous post on how to enable the AD Recycle Bin feature in your Windows Server 2008 R2 forest.

We delete an OU called Chicago which contains a Global Group.

Launch the ADRecycleBin tool (be sure to launch it under administrator’s context)

Right click on the child object of a deleted tree and select all

Click on Restore Deleted Object on top right corner

And its simple as that. Lesson of the story, there is always a window for someone to step in and fill the void. I had earlier posted how Server Core that was intended to be managed via CLI only had made a  U-TURN in R2 release of Windows Server 2008. Personally, I wouldn’t mind having to manage this feature solely from PowerShell, but its nice to have the GUI option available.

Download the tool here.

Launch the PowerShell under Administrator’s account context, and type this cmdlet.

Enable-ADOptionalFeature -Identity ‘CN=Recylcle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com

Read and understand the warning of this action’s irreversebility, and hit “Y” for yes to continue.

In following screenshot I show you an error not neccesarily applicable to you, the cmdlet complained about not being able to verify the FSMO ownership role. The reason for this was the fact that in my VM Lab environment I had shut down another DC for maintenance and it had not been replicated or talked to.

As I brought that downed DC back online, forced the replication, I was able to proceed. You can then confirm with this cmdlet.

Get-ADOptionalFeature ‘Recycle Bin Feature’

Here is a great post on this hot feaure of Windows Server 2008 R2.

http://msmvps.com/blogs/ad/archive/2009/03/31/taking-out-the-trash.aspx

As briefly discussed before, a feature to offline domain join machines is available in Windows Server 2008 R2. The utility is called “djoin.exe” which is used to perform this task. Here is an official blurb on what the offline domain join is what it would be used for and then I will show you how to perform this simple task.

“Offline domain join is a new process that computers that run Windows® 7 or Windows Server® 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network. For example, an organization might need to deploy many virtual machines in a datacenter. Offline domain join makes it possible for the virtual machines to be joined to the domain when they initially start after the installation of the operating system. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scale virtual machine deployments.

A domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory® domain. This operation requires state changes to Active Directory Domain Services (AD DS) and state changes on the computer that is joining the domain. To complete a domain join in the past using previous Windows® operating systems, the computer that joined the domain had to be running and it had to have network connectivity to contact a domain controller”

I created the metadata as known as “blob” on one of my DC for a Server named 2008R2RC2 that I wanted to join to domain offline (i.e the target machine not connected to the network) and saved it to a txt file called computer_prov, then as usual I run the help on the utility to learn what syntax it has available. Here is the command syntax I ran to provision the computer account and to create the metadata.

djoin /provision /domain techevan.lab /machine 2008R2RC2 /savefile c:computer_prov.txt

I then jumped on the target machine, copy the txt file over and try to run needed syntax with the djoin utility

djoin /requestODJ /loadfile c:computer_prov.txt /windowspath %SystemRoot% /localos

I get an error that I am not running the Shell with elevated privileges, I get out and get back in with the “run as administrator” option, and get the same error.

Perhaps its a bug in RC release, I then tried the same syntax from the conventional CMD line window and was successful.

I then restarted the target computer and machine had been joined to the domain.

For more information please see, http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx

A couple years back someone made a recommendation on Microsoft Exchange Forums that equivalent to Exchange BPA, it would be nice for AD Admins to have an AD Best Practices Analyzer, this was passed on to the AD Team. Though I am not if this particular thread was the driver behind it, but starting in Windows Server 2008 R2, AD Admin will have the BPA.

“Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.”

ADBPA is a great idea, it gives you a quick glance into the new DC you have just stood up. It points you toward setting the NTP settings correctly if the DC is also PDC. It lets you know if your OUs are not set to be protected from accidental deletion. It also reminds you that certain directory partitions (NC) have not been backed up since a certain of period time. You can access the ADBPA from the Server Manager -> ADDS.

You may notice that if you are running the Windows Server 2008 Beta version, there seems to be a bug with ADBPA rule. One of the non-compliant complain is about the DC’s inability to reach a DNS server to retrieve DC specific records even when the DC itself is also the DNS and the pertaining records are existing. This behavior has been corrected in the RC version.

The compliant section also shows where your DC meets the expected configuration, such as when it advertises itself as a DC in its local site. One downside I see with ADBPA is that it cannot be self-launched into its separate MMC. Or unlike the Exchange BPA, it is only accessible in a small window from within the Server Manager. So there if is large number of non-compliant/compliant messages, the browsing ability is not that great.

How does ADBPA gather this data ?

“When you run the AD DS BPA scan on a domain controller, the BPA engine invokes the AD DS BPA Windows PowerShell script that collects configuration data from the AD DS environment that this domain controller belongs to. The AD DS BPA Windows PowerShell script then saves the collected AD DS configuration data to an XML document. The BPA run-time engine validates this XML document against the XML schema.”

For more information on ADBPA. See this.

It is version 47 in RC and it may very well change when R2 gets RTM. You can check the objectVersion attribute of your current forest on the Schema Naming Context (NC) via ADSIedit.msc.

Here are some older Schema versions.

13=Win2k
30=2003
31=2003R2
44=2008

Here is more detail of schema changes in Windows Server 2008 R2 RC.

http://technet.microsoft.com/en-us/library/dd378828(WS.10).aspx

Creating an additional Password Policy (known as Password Settings Object) in Windows Server 2008 is very easy with QAD Cmdlets. Create a PSO with New-QADPasswordSettingsObject for example as shown below,

[PS] C:\Windows\System32>New-QADPasswordSettingsObject -name "Traders-Password-Policy" `
>> -passwordhistorylength 9 `
>> -passwordcomplexityenabled $true `
>> -minimumpasswordlength 7 `
>> -minimumpasswordage 1 `
>> -maximumpasswordage 15
>>
...

Name Type DN
---- ---- --
Traders-Password-Policy msDS-Passwor... CN=Traders-Password-Policy,CN=Password Settings Container,CN=System,D...

To check what other password’s attributes can be defined, see help for New-QADPasswordSettingsObject. The -appliesto parameter lets you define the PSO for a Group or individual user as well from right within the cmdlet shown above, but you can also do this.

[PS] C:\Windows\System32>Add-QADPasswordSettingsObjectAppliesTo 'traders-password-policy' -AppliesTo joe.blow

Name Type DN
---- ---- --
Joe Blow user CN=Joe Blow,OU=Users,OU=Chicago,DC=techevan,DC=lab

Unfortunately, there is no Set-QADPasswordSettingsObject cmdlet yet that lets you modify an existing PSO. You can use ADSIEDIT.msc to do that. Launch ADSIEDIT, and go to \domain node\System\Password Settings Container. Find the relevant PSO and go to its properties and make your modifications.

If you log on as the user who we just applied this PSO to in our above example, you will be notified that your password expires in 14 days. Its a great feature in Windows 7.

For more information see these links :

http://technet.microsoft.com/en-us/library/cc753481.aspx#BKMK_2

http://windowsitpro.com/article/articleid/99929/use-powershell-to-manage-fine-grained-password-policies-in-windows-server-2008.html

Here is a useful 55 page white-paper that describes the changes in Functionality From Windows Server 2008 to Windows Server 2008 R2

As expected, and just like its counterpart you can’t run guest OS, (child partitions) within Hyper-V when Hyper-V itself is installed as a guest VM. Of course there are several tweaks out there that let you modify VMkernel and supposedly let you run guest VMs in ESX environment. I have yet to come across one that does the trick for Hyper-V. Perhaps its not possible due to some substantial differences how hypervisor of Hyper-V is different than hypervisor of ESX(i) that of VMware. Greg Sheilds recently wrote in length regarding correctly explaining the difference between two products.

Rich Brambley on the other hand installed Hyper-V R2 under VMware Workstation but didn’t proceed to install VM as a guest on it, which in my opinion was against the whole purpose. You can’t really begin to play around with its feature set until you have a hand full of workloads running on it.

I gave it a spin, and I came across the “No, No, you can’t do this” issue. I have Hyper-V R2 installed as a guest on VMware Workstation 6.5.2. As posted in last post, Hyper-V is being managed via Windows Server 2008′s Hyper-V Management feature.

Ever since Microsoft joined VMware in handing out their introductory type-1 hypervisor solutions (without management software) out for FREE, there is a fair share of confusion in IT community regarding the standalone Hyper-V. Hyper-V is a standalone product that will run on a bare-metal box and will need to be managed via Windows Server 2008 Hyper-V Management (feature). Hyper-V is built on Windows Server 2008 Server Core and Windows Admins will find it easy to adjust to managing it. Especially those who have had experience with Server Core.

I wrote a few posts earlier on managing Server Core, regarding the initial configuration, opening the needed ports thru firewall, network configuration etc. You will find that there is another layer of managment window on top of that CLI window you are used to seeing in Server Core. That window is there for you to manage the Hyper-V.

As you log in to Hyper-V both windows the CLI and Hyper-V Configuration pop up, with first one in the background. On Hyper-V configuration window, there is 16 options (sub-menu) that are pretty self explanatory and allow you to setup initial configurations such as adding the server to domain, configuring NIC, enabling RDP, and remote management (WinRM) and so forth.

Remember that with the substantial feedback from IT pros, this new version of Server Core (that Hyper-V is built upon) now has the limited .NET layer added which will make the server management easier but as expected it adds to its size to its previous versions. This is of course only part of recently released Hyper-V R2.

Here are some screenshots of Hyper-V R2.

Lets you know if the account’s status on current DC (you are connected thru ADUC) is locked/unlocked. I did a post earlier regarding account lockouts in Windows Server 2003. This small feature is good to have.

A long awaited PowerShell version 2 will be released with Windows Server 2008 R2 and Windows 7 (currently both in beta). As Microsoft intends to push PoSH as the management/interactive/command driven shell, you will find the PoSH short-cut in your quick launch toolbar. In addition to what PoSH v2 has to offer such as remote management capabilites, a notable difference is the number cmdlets over version 1. PoSH v2 will have total of 235 native cmdlets where version 1 only had 129.

Watch a quick (first) screencast I did on this.

With Windows Server 2008 having role specific snap-ins installed for each role, if you have to demote a Windows Server 2008 DC thru normal “dcpromo” command. You will notice that the DC specific roles from within the Server Manager will not be uninstalled. Even though the DC has been fully demoted,  Active Directory has been uninstalled, the Server has been rebooted but the snap-ins for roles such as AD and DNS are still there (in case your DC was also a DNS). It causes a bit of nuisance as its not as if these snap-ins will serve you like “adminpak” and you could manage AD from other DCs from this member server now. As of course for that you will need the RSAT tools. See the screenshots below to see the problem and error if you try to use the snap-in, and finally see the wizards to remove the lingering roles.

We are all aware how helpful the repadmin tool has become (available thru Windows Support Tools in Windows Server 2003 and earlier) for troubleshooting the replication issues. In Windows Server 2008, this tool along with others come pre-packaged within the OS. You no longer have to install the Support Tools to rein in the benefits of handy command line tools such as, dcdiag, netdiag, rendom and many others.

Here is one repadmin syntax I have become used to as it gives me a snapshot of source DCs and the Destination DCs and their replication status. The command is repadmin /replsum

In above scenario there are two DCs (both Windows Server 2008) showing their latest largest delta times. The Source DC is one that changes have gone out from, where as Destination DC is one who adopted changes from other DC, hence replicated.

What needs to be noticed here is under normal circumstances both DCs would show up under Source and Destination, but since the VM08-02 is a read-only domain controller it can only grab changes from other DC and can’t replicate changes out from it. It only shows up under Destination DC and shows that it was at the receiving end of applying changes to it in terms of Active Directory replication. While read-write domain controller (RWDC) shows changes replicated out from it i.e VM08-01.

The fail/total %% and error column comes very handy when somewhere out there one of your DC has stopped talking to others or hasn’t been talked to due to an issues such is incorrect firewall settings.

Repadmin is one handy tool that all AD Admins should invest a little time learning. For more information on repadmin /showrepl command, click here.

Sounds like a no-brainer, but there is catch. I installed DHCP role on my Server Core that I had previously set up as Read-only Domain Controller, using this command.

start /w ocsetup DHCPServerCore

And then I went ahead and set the service configuration to “auto” with this command,

sc config dhcpserver start= auto (note the space between the equal sign and auto)

And then finally when I tried to start the DHCP service with the following command, it failed with these errors.

net start dhcpserver

A system error has occured

System error 50 has occured

The request is not supported

So the catch was, that since RODC can’t write back to the AD to create the needed DHCP security groups i.e DHCP Administrators and DHCP Users, the service would fail.

After creating those domain local security groups on another Windows Server 2008 RWDC, the service does run successfully and you can manage the DHCP Server (that is running on Server Core) from another server using RSAT.

Yes there is. Inevitable as it was, we the System Admins like to accomplish easy tasks from the tip of our fingers, and do things in a graphical click-ing environment. You might have heard of this utility, which came out few months back called ‘Server Core Configurator’ by Guy Teverovsky. I had been reading about the bugs and fixes at Guy’s site and hadn’t given a try. I have now downloaded a copy thats has been fixed up and fine tuned per the request of other readers and users who tried out this utility. I installed it on my Server Core copy and I haven’t been disappointed, it lets you do a lot of common tasks such as adding the machine to the domain, running DCPROMO on it, changing NIC settings, changing display and time zone etc. which would otherwise require you know the command line or registry edit.

While this utility will come in very handy (until Microsoft perhaps comes out of their own), remember its Microsoft’s attempt to offer a small footprint OS of Core features with the likes of Linux based DHCP, and DNS system such Infoblox, and they have tried to persuade the System Admins to learn the powerful capabilities of Cscripts, WMI and Netsh. This does take us the other way a little bit. But I sure am happy to see an option that allows to me do all those initial configuration tasks GUI-ily.

You be the judge and give it a try, download it from here,

http://blogs.microsoft.co.il/files/folders/guyt/entry68860.aspx

P.S You can only launch the application from the folder where it was installed, i.e change the directory to the C:\Program Files\Server Core Configurator where it installs by default.

In a full version of Windows Server 2008 there is Initial Configuration Tasks that allows you to configure various things after a fresh install. However since Server Core is GUI-less or more like Shell-less and not entirely GUI-less, the various initial configuration tasks are to be done from the command-line or thru the few built-in cpls.

In next few posts, I will be showing you the basic configuration of out-of-box Server Core. Lets start with changing the Administrator’s password which does not happen during the installation. You may use the good-old net command to do that,

net user administrator *

or change it by pressing CTRL+ALT+DEL and click Change Password.

You may also need to set the date, time and time zone, and there is a left-behind GUI cpl available for it.

control timedate.cpl

Above cpl will launch the normal Date and Time control panel for you to change the settings. The only other cpl included in Server Core is intl.cpl which allows you to change the keyboard layouts

Previously you have been able to use RENDOM utility provided by Microsoft to rename your Window 2000 and Windows Server 2003 domains. However in Windows Server 2008 domain you don’t have to separately install Rendom utility. It gets installed as part of “Active Directory Domain Services” role when you promote a server to the DC role. And It can be found here : %windir%\system32\rendom.exe.

I used it to rename a Windows Server 2008 domain in my test lab environment. The process was pretty straightforward but it may require more tasks if you have multiple DCs in a multi domain environment.

The Forest and Domain Functional Level should be Windows Server 2008 to proceed with the following task.

From the command prompt, I started out by running rendom /list which outputs an XML file (Domainlist.xml) to the directory where rendom resides. You edit that file to change your domain configuration to the new domain name. i.e ForestDNSZones, DomainDNSZones, Netbios name. See referenced link for details.

After you have modified the file you can run rendom /showforest which shows you the future configuration, verify and make changes if necessary.

Upload the changes you have made in the XML file: Run rendom /upload

Verify readiness of Domain Controller(s): Run rendom /prepare

Execute domain rename instructions: Run rendom /execute

After thats finishes up successfully, you should also run GPFIXUP tool to fix up GPO references to your old domain name. See Step 12 of this document.

Here is an example :

C:\Users\Administrator>gpfixup /olddns:08r2.lab /newdns:mcts.lab
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
……..

Start fixing site group policy links:
.

Start fixing non-site group policy links:
….
gpfixup tool executed with success.

C:\Users\Administrator>gpfixup /oldnb:08r2 /newnb:mcts
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
..
gpfixup tool executed with success.

Lastly, run rendom /clean

The identity (domain GUID) of the renamed domain does not change during a domain rename operation. Thus a computer’s domain membership does not change as a result of the holding domain being renamed.

However, every member computer joined to the renamed domain needs to be rebooted twice. Please refer to “How Domain Rename works” technical reference for more info.

How Domain Rename Works : Microsoft Technet

Other References:

http://dsg.port.ac.uk/~hx/rename_domain/index.php

http://www.msexchange.org/tutorials/Domain-Rename.html (for domains with Exchange)

Installing VMAdditions on Windows Server 2008 Core can be tricky. In my virtual lab I have Virtual Server 2005 R2 SP1, I recently decided to test drive the much hyped Server Core from the Windows Server 2008 lineup. For those of you who don’t know what Server Core is and what it will cater to;

Server Core is a minimal server installation option for computers running on the Windows Server 2008 operating system. Server Core provides a low-maintenance server environment with limited functionality. Server Core is an installation option that is capable of five well-known server roles: File Server, DHCP Server, DNS Server, Media Services, and Active Directory. Server Core is not a development platform for new server applications. Although Server Core is not an application platform, it does support the development of management tools, utilities, and agents.

Server Core management tools, utilities, and agents fall into two categories: those that manage a server remotely, and those that run locally to manage the server or return data to a centralized management tool. Remote management tools should not require any changes to support Server Core, as long as the tool uses one of the remote protocols supported in Server Core, such as RPC. Local management agents and utilities may require changes to run properly on Server Core. There is no Windows shell and very limited GUI functionality (the Server Core interface is a command prompt).

The installation of Server Core was pretty straightforward, and GUI based but when it finished I was left with command prompt where the rest of the configuration and setup would be run from. Like in any other Micrsoft VMs, VMAdditions are must as you don’t have a smooth control of your keyboard and mouse, and video is pretty bad.

I started out by mounting the VMadditions ISO from the web interface of VS2005. (Note that this ISO has been updated with the SP1 of VS2005 R2 and provides better results now). But since the Core does not auto-launch the CDs nor does it understand what ISO images are, it failed to kick-off the installation.

The trick was to change the directory to D:\ and by going to Windows\Setup folder and running the Setup.exe file manually, that immediately started the installation and successfully installed the latest Virtual Machine Additions version 13.813 .

Server Core does provide us the ability to run a DC like infrastructure server on a low end machine with the littler foot print on other network resources.

Time to learn the CScripts, WMIC, Netsh etc. to better manage it however !

Updating schema for your forest is not something you do very often, however, it is a requirement when you introduce a Windows server 2003 DC in a Windows 2000 domain or when you introduce the first Windows Server 2008 in your Windows Server 2003 domain. (There may be other times when you have to do this such as when adding Exchange to your environment). Nonetheless it is a very simple and easy task.

 I recently added a Windows Server 2008 domain tree to my existing Windows Server 2003 forest in my lab environment and here is how you do it. You start out by putting Windows Server 2008 DVD (in my case it was mounting the ISO image to the VM) on your schema master DC and from the command prompt you go to the (D:\Sources\adprep\) you can run the help option “/?” to know the syntaxes that apply here.

I ran the “adprep /forestprep”, you will have to hit C and ENTER to give assurance that all your DCs are at Windows 2000 SP4 level or above. In my case it imported about 14 new schema files “.ldf” files and successfully finished.

The next step is to run the “domainprep” syntax from within the same location and that is to be done on your infrastructute master FSMO role. (See FSMO). In my case it was a different DC, so same steps from above except for this time we only had to run the “domainprep” part.

In my case I also ran “adprep /domainprep /gpprep” to update the permissions on my existing GPOs. In future I may write a FAQ or memory refresher about FSMO roles as it is imperative to know the importance of these rules and to understand what we did here and why it could only be done on certain FSMO holders.

You can extend the Windows Server 2008 Evaluation copy you have running for trial/demo/testing purpose for up to 240 days now.

“Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days. Note: Although you can reset the 60-day evaluation period, you cannot extend it beyond 60 days at any time. When you reset the current 60-day evaluation period, you lose whatever time is left on the previous 60-day evaluation period. Therefore, to maximize the total evaluation time, wait until close to the end of the current 60-day evaluation period before you reset the evaluation period.”

Download your Eval Copy here

More info on extending the evaluation period